Channels
- b
Bacarus
10 months agoHi again, I’m sorry to bother you with my questions, I’m trying to understand how logging works and some doubts come to the surface. When an host is disconnected to fleet it continues to produce the scheduled logs and, when the connection is restored, the host send all the logs to the server. • How does the agent store those logs? • Does the agent store it locally? • Can I edit the space that is used by the agent to store those logs? Reading the osquery documentation I’ve found
and--logger_rotate_size
, are they related to this use case or are they only for the filesystem logging plugin?--logger_rotate_max_files 
Jocelyn Bothe
10 months agoosquery uses a local rocksdb to store query results- b
Bacarus
10 months agoI think that
is the flag that I was looking for. The value represents “_the maximum number of logs to buffer before dropping new logs”_ . So there is no way to select a predefined size of the memory used by rocksdb to buffer the logs, I can only play around the number of logs, am I right?--buffered_log_max
The values refers to the maximum number of the logs between all the queries? for example if I have 3 scheduled queries and
can I have 10 logs per query in the buffer (for a total of 30 logs) ?--buffered_log_max=10
View count: 1